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Abstract 

^^ , The main objective of this work is twofold. On the one hand, it gives 

Si^ ' a brief overview of the area of two-party cryptographic protocols. On 

[/J ' the other hand, it proposes new schemes and guidelines for improving the 

O . practice of robust protocol design. In order to achieve such a double goal, 

a tour through the descriptions of the two main cryptographic primitives 
is carried out. Within this survey, some of the most representative algo- 
^ . rithms based on the Theory of Finite Fields are provided and new general 

1/^ ' schemes and specific algorithms based on Graph Theory are proposed. 
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A two-party cryptographic protocol may be defined as the specification of a 
sequence of computations and communications performed by two entities in 
order to accomphsh some common goal. For instance, several algorithms may 
be described in the form of two-party protocols, which allow to perform in the 
telecommunication world some usual actions such as flipping a coin, putting a 
message in an envelope, signing a contract or sending a certified mail. This 
work surveys known protocols based on finite fields, and proposes new general 
and specific solutions based on graphs. 

Several approaches to the design of cryptographic protocols have been car- 
ried out from different angles. Some of them have had the aim of developing a set 
of standards that can be applied to cryptographic protocols in general, whereas 
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others have proposed new specific protocols. The simplest approach to analyze 
cryptographic protocols consists in considering them in an abstract environment 
where absolute physical and cryptographic security is assumed. The main dis- 
advantage of this formal approach is that it does not address potential flaws in 
actual implementations of concrete algorithms. On the other hand, the tradi- 
tional approach has consisted in guaranteeing the security of specific protocols 
based on Finite Mathematics such as the Quadratic Residuosity Problem and 
the Discrete Logarithm Problem. In general such an approach does not allow 
the composition of protocols in order to design more complex protocols because 
it requires re-modelling the entire system and re-proving its security. In this 
paper we propose a mixed approach where security conditions are guaranteed 
for certain types of actual protocols. These algorithms may be used as modules 
in order to build complex protocols while maintaining security conditions. 

This work is organized as follows. Firstly, basic concepts and necessary tools 
are introduced in section 2. Afterwards, specific notation used throughout the 
work and general properties of two-party cryptographic protocols are described 
in section 3. In section 4 special attention is paid to the general-purpose protocol 
of Oblivious Transfer and its different versions and applications. Section 5 is 
devoted to the other primitive of Bit Commitment and its main application, 
the so-called Zero-Knowledge Proof. Finally, several conclusions and possible 
future works are mentioned in section 6. 

2 Background 

This work addresses the topic of secure distributed computing through the pro- 
posal of general and specific schemes for some two-party cryptographic pro- 
tocols. In such a context, two parties who are mutually unreliable have to 
cooperate in order to reach a common goal in an insecure distributed environ- 
ment. 

The design of cryptographic protocols typically includes two basic phases 
corresponding to specification and verification. Up to now, most works have 
concentrated on this latter step while a systematic specification of protocols is 
almost an undiscovered area yet. The best known formal methods to analyze 
cryptographic protocols that have been published may be classified into three 
types. The modal logic based approach is represented by the BAN logic model 
for analyzing cryptographic protocols first published in [7] . On the other hand, 
one of the earliest works that used the idea of developing expert systems to 
generate and investigate various scenarios in protocol design was [9]. A dif- 
ferent approach to protocol verification was based on algebraic systems [12]. 
Regarding research in the emerging area of formal and systematic specification 
of cryptographic protocols, a modular approach was proposed in [21]. Finally, a 
methodology for both specification and verification of protocols was presented 
in [20], and several basic informal design principles were proposed in [1]. 



Note that the design of protocols is not difScult if a Third Trusted Party 
(TTP) is available. In such a case, all input information may be given by both 
parties to it, and then the TTP can distribute corresponding outputs to each 
party. However, the enormous costs of extra communications, establishment and 
maintenance of TTP justify the search for secure non-arbitrated protocols. In 
fact, the importance of cryptographic protocol design lies in the fact that TTP 
becomes non necessary. Typical solutions to avoid TTP in cryptographic proto- 
col design include the use of two powerful tools: computational complexity as- 
sumptions and random choices. In most specific cryptographic protocol designs 
the computing power of one or both parties is supposed bounded. Also usually, 
some unproven assumption on the intractability of some finite mathematical 
problems, and some sort of interaction between both parties are required. Most 
two-party cryptographic protocols include the use of two general techniques, the 
so-called Cut-and-Choose and Challenge-Response methods. Cut-and-Choose 
technique consists in two stages. First, a party cuts a secret piece of information 
in several parts and then the other participant chooses one of them. The goal of 
this technique is to achieve a fair partition of the aforementioned information. 
The second method, Challenge-Response, is also formed by two steps. The first 
step is a challenge from one of the parties to the other whereas the second step 
is the answer to such a challenge. 

It is important to remark that most cryptographic protocols are based on 
cryptosystems, and therefore, their security depends both upon the strengths of 
the underlying cryptosystems, and on the effectiveness of the protocols in the 
exploiting these strengths. In particular, most of the protocols analyzed in this 
work are based on finite mathematical problems that are assumed as difficult in 
general. Thus, a poor and careless design may expose protocols to breaches in 
security which can be the ideal starting point for various attacks. 

Two-party cryptographic protocols usually consists of series of message ex- 
changes between both parties over a clearly defined communication network. 
Consequently, the possibility always exists that one or both parties might cheat 
to gain some advantage, or that some external agent might interfere with normal 
communications. The simplest situation occurs when each party may function 
asynchronously from the other party and make inferences by combining a pri- 
ori knowledge with received messages. In a worst case analysis of a protocol, 
one must assume that any party may try to subvert the protocol. As a con- 
sequence, when designing a two-party cryptographic protocol, one of the two 
following possible models should be considered. On the one hand, the so-called 
semi-honest model is defined when it is assumed that both parties follow the 
protocol properly but adversaries may keep a record of all the information re- 
ceived during the execution and use it to make a later attack. On the other 
hand, the so-called malicious model is considered when it is assumed that dif- 
ferent parties may deviate from the protocol. In order to prove the security in 
the semi-honest model, the simulation paradigm is usually applied. According 
to this paradigm, given the input and output of any party, it is always possible 



to simulate through a probabihstic polynomial time algorithm his or her view 
of the protocol without knowing any other input or output. Therefore, when 
the simulation paradigm holds, it is obvious that such a party does not learn 
anything from the execution of the protocol. It has been shown [18] that any 
protocol being secure in the semi-honest model can be transformed into a proto- 
col that is secure in the malicious model. This theoretical result has become an 
important design principle throughout the field of cryptographic protocols. It is 
often easier to start from the design of a protocol that is secure in a semi-honest 
model, and then to transform it into a protocol that is secure in a malicious 
model, by forcing each party to prove that he or she behaves as a semi-honest 
party. 

In conclusion, the security of an interactive protocol should refer to its abil- 
ity to withstand attacks by certain types of enemies. On the other hand, since 
protocol design is usually based on the belief that certain computations are diffi- 
cult, a rigorous analysis of its security suffers the same limitation. Consequently, 
the best that can be hoped for is a demonstration that either the protocol is 
secure or that some cryptographic assumption of the difficulty of a problem is 
wrong. 

3 Notation and Properties 

Throughout this paper A and B represent the parties Alice and Bob. The 
typical notation 'A —^ B: X' should be interpreted as 'the protocol designer 
intended X to be originated by A and received by B' because the messages 
are assumed not being sent in a benign environment, so there is nothing in the 
environment to guarantee that messages are made by A or received only by B. 

In order to formalize the notion of cryptographic protocols, / denotes a two- 
argument finite function from X^ x Xb into Y^ xYb, where Xj and 1^ denote 
private input and output sets respectively. On the other hand, Si, ri and /j 
denote three private values corresponding to a finite value, a random choice and 
a function respectively. The sub-indices ie{A, B} indicate the parties A and B. 
Thus, a cryptographic protocol may be generally described through a function 
/ whose public output is defined by the expression 

f{xA,XB) ^ ,f{{sA,rA),{sB,rB)) = 

= {yA,yB) = {fA{{sA,rA),{sB,rB)),fB{{sA,rA),{sB,rB)))- 

In this way, at the end of the execution, each party ie{A, B} receives the 
output of fi. Note that the previous definition is independent of the sidedness 
view of protocols. The only difference is that in two-sided protocols, both private 
outputs are equal. 

The security of many cryptographic protocols relies on the apparent in- 
tractability of two mathematical problems known as Discrete Logarithm Prob- 
lem (DLP) and Quadratic Residuosity Problem (QRP) [24]. The true compu- 
tational complexities of these two problems are not known. That is to say, they 



are widely believed to be intractable, although no proof of this is known. In- 
deed, both problems are assumed to be as difficult as the problem of factoring 
integers. Next the notation corresponding to these two problems is introduced. 
Given a prime number p, let Zp denote the finite field of integers modulo p, and 
let Z* denote the multiplicative group of integers modulo p. Accordingly, given 
a composite integer N, let Z^ denote the additive group of integers modulo N. 

On the one hand, given a prime p, the DLP may be described as a function 
from Z* into Zp^i. In particular, given a primitive root g of the finite field Zp, 
and an integer y between and p— 1, the integer x such that < x < p is referred 
to as the discrete logarithm of y to the base g if and only ii g^ = y (mod p). The 
DLP is in NPI class, which means that no probabilistic polynomial algorithm 
is known for solving it. Such a problem has acquired additional importance in 
recent years due to its wide applicability in Cryptography [26]. 

On the other hand, given an odd composite integer N, the QRP may be 
defined as a function from Z^ into Z^. In particular, given an integer y having 
Jacobi symbol (-^) — 1, the QRP consists in deciding whether or not y is a 
quadratic residue modulo N. Note that while the Legendre symbol tells us 
whether y is a quadratic residue modulo a prime number, the Jacobi symbol 
cannot be used to decide whether y is a quadratic residue modulo N because if 
(■^) = 1, both cases y being and not being a quadratic residue modulo N are 
possible. If A'^ is a product of two distinct odd primes p and q, then Zp and Zq 
are finite fields, and y has no or two square roots. Consequently, in such a case, if 
the factorization of N is known, the QRP can be solved simply by computing the 
Legendre symbol (-). Conversely, the ability to compute sqare roots modulo 
A^ implies the ability to factorize A^. Otherwise, if the factorization of A^ is 
unknown, then there is no efficient procedure known for solving the QRP, other 
than by guessing the answer. 

An advisable methodology for practical design of cryptographic protocols 
includes the verification of the following properties. Firstly, the designer should 
have a clear idea of what the protocol should achieve in order to specify the 
goal, and of what computation and communication requirements the protocol 
should satisfy, which implies the so-called correctness property. However, ex- 
pressing the correctness criteria of a protocol is not a trivial task because most 
protocols include the use of randomness and interactions, and are based on some 
difficult problem or cryptosystem. Also, since the difficulty of the problems and 
cryptosystems does not guarantee absolutely the security of the corresponding 
protocols, an essential task of their design should be the anticipation to any 
possible situation, which corresponds to the proof of fault tolerance (including 
protection of parties' privacy). Finally, cryptographic protocols should be fair, 
which means that it should be clearly defined what every party gets through 
them. 

According to the above comments, it is said that a two-party cryptographic 
protocol securely computes a function / in a semi-honest model, and conse- 
quently, that the function / is securely computable, if the following conditions 



hold: 

Correctness. Each party may obtain the correct output value of / on those 
input arguments that have been previously distributed between both par- 
ties 

i's Privacy. Any value that party i could compute efhciently from certain 
output of /, could be computed directly from his or her private input and 
output. 

Fault-tolerance. The security of the protocol should be stated under any kind 
of behaviour from any of both parties or external viewers. 

Fairness. Both parties should know the full description and possible outputs 
of/. 

Unfortunately, for most known cryptographic protocols no results regarding 
their correctness, privacy, fault-tolerance and fairness have been proved. Instead 
of it, there are security reductions to prove that the protocols are secure as 
long as certain mathematical assumptions are true. Early work on this field 
concentrated on privacy as the main security criterion, but later it was proved 
to be inadequate since many protocols provide services that are only indirectly 
related to privacy. 

In the following two sections, the two most important primitives for the 
design of cryptographic protocols are analyzed. 

4 Oblivious Transfer 

Oblivious Transfer (OT) is a fundamental two-party protocol that is used to 
transfer a secret with uncertainty. It solves the following situation: party A 
knows a secret sa that wants to transfer to party _B in a probabilistic way such 
that the following properties are fulfilled: 

Meaningfullness. B gets the secret sa with probability 1/2. 

Obliviousness. B knows for sure whether he received the secret sa but A 
cannot determine whether the transfer was successful any better than 
random guessing. 

Since party A acts only as sender and party B acts only as receiver, OT is 
a one-sided protocol. Consequently, it may be functionally defined as follows: 

fB{{sA,rA),rB) = SA if r^ ^ tb 

It has been formally proved that Secure Two-Party Computation in general 
can be reduced to OT in the semi- honest model [22], [2] and that OT can be 
used as a primitive for the design of any two-party protocol [23]. Furthermore, 
it has been established that the existence of one-way trapdoor permutations 



guarantees the existence of securely computable OT in the semi-honest model 
[27]. 

The idea of this definition was first proposed in [27] where an algorithm 
based on the QRP was described. In such a protocol the secret information to 
transfer is the factorization of the product of two large prime numbers. The 
algorithm may be described as follows: 

Rabin OT 

1. A ^f B the product N = pq oi two large prime numbers p and q randomly 
chosen by herself. 

2. B ^ A the integer x^ (mod N), where x is a private random number such 
that 1 < a; < iV- 1. 

3. A -^ B one of the four different square roots {x, N — x,y,N ~ y} of x^ 
(mod N), randomly chosen by herself. 

4. If B receives y or N ~ y, then he can compute p and q thanks to gcd((a:; + 
y),N). Otherwise, he cannot. 

After the execution of the previous protocol, A does not know whether B 
received the secret or not since her choice was random. The algorithm uses 
the fact that the knowledge of two different square roots modulo A^ of the 
same number enables one to factor N. Indeed, from x^ = y^ (mod N) we get 
{x+y){x — y) = (mod N) and since x = ±y (mod N), N does not divide (x+y) 
and does not divide (x ~ y) yet it divides (x + y){x — y), this is only possible if 
p divides exactly one of the two terms and q divides the other. Consequently, 
through the computation of the greatest common divisor of N and (x + y), the 
factorization of N can be easily computed. 

Typical stages and characteristics of OT based on Challenge-Response and 
Cut-and-Choose methods are now sketched. In the following proposed general 
scheme, A's secret is supposed to be a solution to a difficult problem, and 
some complexity assumption on the computer capacity of both parties is usually 
required. The first step implies the definition of a partition of a difficult instance 
of the original problem. In the second step it is required the use of a one-way 
function h that should have been previously agreed by both parties. Depending 
on the coincidence or difference between both secret random choices carried out 
in second and third steps, the transferred solution is a valid solution to the 
original difficult problem or not. 

General OT 
1. Set-up. A ^ B a. partition of an input problem instance {Po,Pi}. 



2. Challenge. B ^ A the output of a one-way function ft, on a random 
clement from one of both sets, rs E Pj,j = or 1, h^rs)- 

3. Response. A ^ B the solution to the problem defined by her random 
choice of an element from one of both sets, rA G Pi,i G {0, 1} and the 
information sent by B, Sol(rA,h(rB))- 

4. Verification. The secret solution is successfully transferred to B depending 
on both participants' choices. 

According to previous functional definition, ys = Sol(rA,h{rB)) = sa if 
^A "^ fB- Correctness and privacy properties are satisfied by the General OT 
due to the following. B obtains a correct output of function / when both parties 
are honest. If A tries to transfer a non-existent secret solution, a TTP or a 
Zero-Knowledge Proof (see section 5) might be used to guarantee correctness. 
Concerning privacy, after taking part in the protocol, if B does not receive 
^'s secret solution, then B cannot obtain it, since his polynomially bounded 
computing power does not allow him to solve the problem. Furthermore, A 
cannot guess B's secret choice, so she does not know whether B obtained the 
secret solution or not. 

Next, a new proposal of OT based on graphs is described. In this new 
proposal, which follows the previous general scheme, the secret to transfer is an 
isomorphism between two graphs Gi and G2 ■ The assumption of the following 
hypothesis is required: 'Computational resources of A allow her to solve the 
problem of the isomorphism graphs'. 

Graph-Based OT 

1. Set-up. A ^ B the two graphs Gi and G2, randomly chosen by herself. 

2. Challenge. _B — > yl an isomorphic copy H of one of both graphs, Gi 
randomly chosen by himself. 

3. Response. A ^ B the isomorphism between H and one of the two graphs, 
Gj, randomly chosen by herself. 

4. Verification. If the graph chosen by A in the previous step does not co- 
incide with the one used by B in step 2, B will be able to obtain the 
isomorphism between Gi and G2. Otherwise, B will not be able to get it. 

Note that in Rabin OT, B's choice determines the subsequent development 
of the protocol and its security, whilst in our proposal the security is determined 
only by ^'s selection of graphs. 



4.1 Variants of OT 

The previous description of OT corresponds to its simplest version. Other two 
interesting variations exist that are known as one out of two OT (1-20T) and 
one chosen out of two OT (1C-20T) [14]. The first one is used when A has two 
secrets and B wishes to obtain one of them without letting A knows which one. 
Thus, 1-20T may be functionally characterized as follows 

fBiiisAl,SA2),rA),rB) ^ SAl H Ta ^ TB 

(and otherwise /^(((syii, sa2),?'a),?'b) = sa2)- 

The essential difference between a 1-20T and a 1C-20T is that in this latter 
case B is particularly interested in one of both secrets, so the corresponding 
functional definition in this case is 

/B((Syll,SA2),«) = SAi- 

In these two variants of OT, mcaningfuUness and obliviousness properties 
should be interpreted as follows: 

Meaningfullness. B gets exactly one of the two secrets. 

Obliviousness. B knows which secret he got but A cannot guess it. 

A proof that the three versions of OT are equivalent can be found in [10]. 

Next a known 1-20T based on the DLP for two secrets sq and si that are 
binary strings is described. This algorithm assumes that both parties A and 
B know some large prime p, a generator g of Z* and an integer c, but nobody 
knows the discrete logarithm of c. 

DLP-Based 1-20T 

1. B ^ A two integers /?o and /3i where Pi = g^ (mod p), /3i_i = c{g^)~^ 
(mod p), i is a random bit and a; is a random number such that < x < 
p-2. 

2. A ^ B the integers ao and ai and the binary strings vq and ri, where 
aj = gy^ (mod p), jj = jSj^' {modp), Vj — SjXOR'jj (without carry), and 
yj being integers randomly chosen by herself, after having checked that 
/3o/3i = c {m,od p). 

3. B computes cti^ = g^^^ = /3i^' = 7^ {mod p), and Si — ^iXORri (without 
carry) 

Since the discrete logarithm of c is unknown, B cannot know the discrete 
logarithm of both /3o and /3i. Moreover, the information that B sends to A in 
the first step does no reveal her which of the two discrete logarithms B knows, 
and consequently which of the two secrets B will receive in the third step. 

General OT remains valid for both 1-20T and 1C-20T, but with several 
modifications. In the case of 1-20T, the two differences are in the first and 



in the fourth step. In most cases, the set-up step is not necessary. On the 
other hand, in the verification step the solution that B receives, Sol{rA, h{rB)), 
coincides with one of both vahd solutions depending on A's and/or _B's random 
choices, rA and r^- 

On the other hand, in 1C-20T there is a difference in the response step 
because there is no A's random choice, and the solution sent to B is Sol{h{rB)), 
where rg is randomly chosen by B within the set Pi indicated by his choice. 

Next we propose a new solution to this protocol based on the Graph Theory. 
In this case, the required hypothesis is that A knows how to solve a problem P 
in two graphs G and H and in every isomorphic copy of them. Also, the graphs 
G and H are assumed to have identical polynomially testing properties. The 
secret to transfer is now a solution to the problem P in one of two public graphs 
Got H. 

Graph-Based 1-20T 

1. Challenge. B —^ A two new graphs: an isomorphic copy of G, Gi, and an 
isomorphic copy of H, Hj, and a pointer to one of them. 

2. Response. A ^ B the solution to the problem P in the graph pointed by 
B in step 1. 

3. Verification. B transforms the received solution in a solution to the prob- 
lem P in the original graph G or _ff by using the isomorphism he knows. 

The generalization of 1-2 OT to more than two secrets, known generally as 
Secret Sale, is a specially interesting topic due to its usefulness in the design 
of Electronic Elections. The previous algorithm admits a simple adaptation 
to a Secret Sale. The only modification consists in considering n graphs Gi, 
G2,. . . ,G„ instead of only two, and an isomorphic copy Hi for each one. Then, 
the previous outline may be used for each pair (Gi, Hi) so that at the end of 
the protocol, B has the solution to the problem on a concrete graph without 
allowing A knows exactly in which. 

Next, the latter algorithm is used to generate a new OT that allows to relax 
the hypothesis of the previous proposal. In order to do that, we can use the 
idea of dividing the secret in two parts so that only if B receives both fractions, 
he will be able to obtain the original secret. So, thanks to the composition of 
two 1-2 OT, a new OT where the secret is an isomorphism between two graphs 
chosen by A may be described. The description of this new algorithm is as 
follows. 

Graph-Based OT Based on 1-20T 
1. Challenge. B ^ A two isomorphic graphs Gi and G2. 



10 



Response. A builds an intermediate graph H that is isomorphic to both 
graphs, and executes two 1-20T with the isomorphisms between Gi and 
H, denoted by /i, and between H and G2 , denoted by /2. 

Verification. If both 1-20T produce the reception of /i and /2, -B is able 
to deduce the isomorphism between Gi and G2 through the composition 
of both received isomorphisms. Otherwise, it is impossible. 



4.2 Applications of OT 

OT has many different and important applications such as Contract Signing, 
Secret Exchange, Certified Mail, Coin Flipping and Two-Sided Comparison Pro- 
tocols [6]. All these applications are analyzed in the following subsections. 

4.2.1 Contract Signing, Secret Exchange and Certified Mail 

The problem of Contract Signing (CS) consists in the simultaneous exchange 
between two parties A and B of their respective digital signatures of a message 
(contract). The two main difficulties are to achieve that none of participants 
can obtain the signature of the other without having signed the contract and 
that none of them can repudiate his or her own signature. This protocol was 
first proposed in [13]. 

It has been proved [15] that no deterministic CS exists without the partici- 
pation of a TTP. Thus, since protocols without TTP are desirable in distributed 
environments, CS based on the use of randomization are specially interesting. 

One of the simplest CS is based on the successive application of Rabin OT. 
In this case, the contract is considered correctly signed by both parties if both 
users at the end know the other user's secret factors. The same idea can be 
applied to the proposed OT based on graphs, so that the contract wiU be signed 
when both participants have received the other's secret isomorphism. 

A direct relationship exists between CS and two protocols known respectively 
as Secret Exchange (SE) and Certified Mail (CM), since all of them are reducible 
to each other [11]. On the one hand, SE allows that two parties A and B 
exchange their secrets simultaneously through a communication network. On 
the other hand, thanks to a CM party A may send a message to another party 
B so that he cannot read it without returning an acknowledgement of receipt 
to A. In all the three cases of CS, SE and CM a commitment of exchange of 
secrets exists that can be solved by using OT. 

Unlike OT, SE is two-sided because both parties act as sender and receiver. 
It functional definition is as follows: 

fA{rA,isB,rB)) = SB and ,fB{{sA,rA),rB) = sa if M = rB 

Next we propose a new Graph-Based SE. Now it is supposed that A knows 
how to solve the problem of the isomorphism for all the isomorphic copies of 
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the graph Gia, and that B knows how to solve the isomorphism for all the 
isomorphic copies of the graph Gib- The secrets to be exchanged are the two 
isomorphisms between two graphs Gia and G2A, and between the graphs Gib 
and G2B- Both pairs of graphs are supposed public. 

Graph-Based SE 

1. • A ^ B a graph HiB isomorphic copy of one of the two graphs GiB, 

randomly chosen by herself. 

• i? — !> j4 a graph Hja isomorphic copy of one of the two graphs Gja, 
randomly chosen by himself. 

2. • A — > _B the isomorphism between Hja and one of the two graphs 

G,j^ chosen at random by herself. 

• B ^ A the 

isomorphism between HiB and one of the two graphs G^g chosen at 
random by himself. 

Both steps will be repeated an enough number of times in order to guarantee 
that when concluding the execution, the probability that the secrets have not 
been mutually exchanged is negligible. 

4.2.2 Coin Flipping 

The main goal of Coin Flipping (CF) is to make jointly a fair decision between 
A and B, so both users can simulate jointly the random toss of a coin in a 
distributed environment. This protocol has important applications in the gen- 
eration of secret shared random sequences in order to use them as session keys 
in network communications. 

The name of this protocol comes from its first description, given in [4] . The 
simplest CF only requires that A and B pick each a random bit a and b, and 
simultaneously exchange them. In this way, the outcome of the toss may be 
defined by a + & {mod 2). In order to prevent possible biases of the result, a Bit 
Commitment scheme (see next section) might be used. Again, implementations 
of CF supported by OT are in general possible. In order to do it, it is only 
necessary to specify that the result is favourable to B when he obtains A's 
secret, and otherwise it is favourable to A. 

A known proposal of CF based on the difficulty of the QRP is shown below. 

QRP-Based CF 

1. A ^ B two integers N and z, such that A^ is a Blum integer (product 
of two prime numbers p and q that are congruent with 3 modulo 4) , and 
z ^y^ (mod N) with y = x^ (mod N) and x G Z"^. 
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2. B ^ A his bet on that y is even or odd. 

3. j4 — > _B the integers x and y, and a proof that A^ is a Blum integer. 

4. B checks that y = x^ {mod N) and z = y'^ {mod N). 

Note that the use of a Blum integer is essential in this scheme since if both 
numbers p and q are primes = 3 {mod 4), then —1 is not a square modulo p and 
modulo g, and it easily follows that the square function becomes a bijective map 
where both the domain and range are the subset of squares in Z*j^ . Consequently, 
this condition assures that z has not two square roots with a different parity. 
As before, B could be persuaded about A's correct selection of N through a 
Zero-Knowledge Proof (see next section) . 

A General CF based on a trapdoor function and a finite set of integers is 
next described. In such a scheme both participants should agree in advance the 
trapdoor function /i, which is defined on a finite set of integers that contains 
exactly the same quantity of odd and even numbers. 

General CF 

1. Set-up. A ^ B the output y = h{x) on an element x G A", randomly 
chosen by herself. 

2. Challenge. _B — > A his bet on that x is even or odd. 

3. Response. A ^ B the original element x. 

4. Verification. B checks that h{x) — y. 

Correctness of the previous scheme is based on the appropriate choice of the 
trapdoor function h. Thus, if h is not an injective function, A could know two 
different values x and x' with a different parity and such that h{x) — h{x'), so 
in this case A is not committed to any of both values. On the other hand, if h 
can be inverted and it is possible to obtain x from h{x), it would be feasible to 
deduce the parity of x from h{x). 

4.2.3 Two-Sided Comparison Protocols 

Now we consider a new application of OT, which is the problem of evaluating 
a specific function by two parties on secret inputs. In a general description of 
a Two-Sided Comparison Protocol (TSCP) two parties A and B each having 
a secret {sa and sb) want that both learn the finite output of a comparison 
function g{sA, sb) but none of them learns anything about the other party's se- 
cret. The main characteristic of this two-sided protocol is that it is a symmetric 
protocol because both parties do the same actions and obtain the same result. 
This general protocol has important applications in Electronic Voting, Mental 
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Poker and Data Mining. The main problem of its definition is tlie simultaneity 
of both parties' actions. It has been proved [29] that all functions with finite 
domain and finite image can be evaluated through TSCP. 
A general functional definition of TSCP is as follows: 

f{{sA,rA),{sB,rB)) = {g{sA,SB),9{sA,SB))- 

The following scheme sketches typical stages and characteristics of a General 
TSCP for comparing binary strings, which is based on a 1C-20T. 

General TSCP 

1. Set-up. Each party chooses at random 2n binary strings of length fc, 
{rfo^rf,}Arfo,rf,},^^ 1,2,..., n 

2. Transfer. 

• A -^ B one of the two secrets transferred with IC — 20T(r^,r^), 
chosen according to B's secret binary string. 

• B — > A one of the two secrets transferred with IC — 20T(r^,r^), 
chosen according to A's secret binary string. 

3. Computation. 

• A ^ B the bit-wise addition of all the received strings, with the sum 
of A's private strings defined by her secret string ^^ r^. . 

• B —^ A the bit-wise addition of all the received strings, with the sum 
of B's private strings defined by his secret string ^^ r^. . 

4. Verification. If both additions are different, both parties deduce the differ- 
ence between both secret strings. Otherwise, they do not know anything 
for sure. 

Note that in the verification step both parties could deduce the equality of 
both secret strings if both strings coincide. However, this would be a proba- 
bilistic deduction because the probability to fail is 2"*^. According to this, the 
given functional definition of TSCP is 

if SA — SB, then g{sA, s_b) — since 



E. IC - 20r(rfo, r,4) + E, rf^B = E. 1^ - 10T{rg, r^) + E 



r. 



Otherwise, g{sA,SB) — 1, which implies that no party receives any certain 
information regarding the comparison between both secret strings. 

Correctness and privacy properties are satisfied by General TSCP due to the 
following. Both parties obtain a correct output of the function / when they are 
honest because if both secret strings coincide, both final sums also coincide. If 
one of both parties attempts to do a non-valid 1C-20T, then a TTP or a ZKP 
might be used to guarantee correctness. Concerning privacy, after taking part 
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in the protocol both parties have received only random strings that do not allow 
them to deduce the other party secret string. 

Next three different implementations of the general definition of TSCP are 
considered, the so-called Byzantine Agreement, String Verification and the Mil- 
lionaires Problem. 

In the protocol described in [28], and known as Byzantine Agreement (BA), 
both parties A and B each having a secret bit, sa and sg, want to agree on 
the same bit, which should be s^ = sb if this equality holds. According to this 
definition, if one party receives a bit different from the one that he or she owns 
then he or she learns the other's bit, but if both parties receive the same bit 
that they own, then they do not learn anything about the other's bit. That is 
to say, if sa ^ sb, they learn it with probability 1/2, but if sa = sb they do 
not learn anything. 

In this case, the functional definition of BA is as follows: 

f{{sA,rA), isB,rB)) = {sa,sb) if sa == sb are identical bits 

(otherwise /((s^i, r^), (s^, r^)) — {r,r) where r = g(rA,rB) is a random 
bit). 

General TSCP remains valid for BA by limiting the length of binary strings 
to fc = 1. In this way, if sa 7^ s_b both sums coincide with probability 1/2. 

String Verification (SV) may be seen as a generalization of a BA to binary 
strings. In this protocol proposed in [25], both parties A and B each having 
some secret n-bit string want to verify whether both strings are equal or not, 
but nothing more than that. The functional definition of SV is as follows: 

f{sA, Sb) = (0, 0) if sa = SB are identical strings 

(and otherwise f{sA, sb) = (1,1))- 

Again General TSCP remains valid for SV by considering large values of 
length for the binary strings fc, so that in the verification step both parties 
could deduce the equality of both secret strings if both strings coincide with an 
almost null probability to fail, 2^''. 

In the protocol proposed in [29], known as Millionaires Problem (MP), two 
parties A and B are supposed to be two millionaires who wish to know who is 
richer without revealing any other information about each party's worth. The 
functional definition of this protocol is as follows: 

f{sA, Sb) = (0, 0) if SA > SB (and otherwise /{sa, sb) = (1, 1)). 

This third version of TSCP is different from the previous schemes in two 
important questions. First, it is defined on integer values instead of binary 
strings. Also, the comparison is not on equality or difference but on greater 
or lesser value. Anyway, General TSCP may be easily adapted to be used for 
MP by considering the binary representation of both secret integers sa and 
Sb, and by implementing General TSCP from the most to the least significant 
bits (left to right). In this way the algorithm shows the most significant bit 
that is different between both secrets, and determines the desired relationship. 
However, note that according to this suggested implementation, a lower bound 
on the difference between both secrets is being transferred. 
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5 Bit Commitment 

Bit Commitment (BC) is a two-party cryptographic protocol that is 
used to simulate the two main characteristics of an envelope: 

Unalterability. A cannot modify its content once she has sent it to B. 

Unreadability. B can neither obtain the committed value inside the envelope 
nor any information about it until A opens it. 

The first condition is equivalent to the aforementioned correctness property, and 
is generally known as binding property of BC. The second condition corresponds 
to the mentioned privacy property, and is called hiding property in BC. 

In the functional description of BC, the use of a trapdoor function h whose 
inversion is only possible for A is required: 

fB{sA,rA) = h{sA,rA) 

According to the original definition of BC, the committed secret is a single 
bit 6, so it might be considered as a surjective mapping from a large domain to 
{0, 1}. Consequently, a bit is considered committed by a random element in the 
preimage of the mapping at an output value. From this point of view, BC may 
be considered as a special type of hash function. According to this, the binding 
property of BC implies that the corresponding mapping is a function. On the 
other hand, BC meets the hiding property if both distributions of elements in 
the preimage of zero and elements in the preimage of one are indistinguishable 
to B. 

BC was first defined in [4]. Since then, many interesting algorithms based on 
various typical cryptographic tools such as hash functions, secret keys ciphers, 
pseudorandom generators, discrete logarithms or quadratic residues have been 
proposed. Also, BC has proved to be very useful as a building block in the 
design of larger cryptographic protocols, so it may be considered the second 
main primitive of cryptographic protocol design. 

The first BC shown below is based on the QRP. 

QRP-Based BC 

\. A ^ B the product N of two distinct large prime numbers p and q, and 
a non-square y e Z'^ with Jacobi symbol (-^) = 1. 

2. A — > _B an integer c = r^y^ {mod N) where r G Z'^ is randomly chosen 
by herself. 

3. j4 — > _B the primes p and q and the integer r. 

4. Verification. B checks the received information. 

There is an efficient deterministic algorithm that allows to compute the 
Jacobi symbol (-^) without knowing p and q. The binding property of the 



16 



scheme is guaranteed because if p and q arc known, it is easy to check whether 
y is a square. Indeed, y is a square if and only if y {mod p) and y (mod q) are 
squares, and this is true if and only if the Legendre symbols (|) and (^) are 
equal to 1. Note that c is a square if and only if & = 0. The hiding property is 
guaranteed by the difficulty of the QRP. B needs p and q in order to check that 
y is not a square. However, if A wants not to reveal them, she should prove 
that y is not a square by a Zero-Knowledge Proof (see next subsection) . 

The following algorithm is based on the DLP in finite fields. In this case, 
^'s secret is an integer x. 

DLP-Based EC 

1. A ^f B a large prime p and a generator g oi Z* 

2. A — > _B an integer y = g^ {mod p) with 1 < a; < p — 1. 

3. A ^ B the integer x. 

4. Verification. B checks the received information. 

The hiding property of the scheme, that is to say, the secret x, is protected 
by the difficulty of the DLP in finite fields. On the other hand, the binding 
property is also hold due to the following. Since g is a generator of Z* it is not 
possible to find another integer x' ^ x such that 1 < x' < p—1 and y = g^ {m,od 
p). Consequently, it is important that g is really a generator of Z*, and party 
A should prove it to B through a Zero-Knowledge Proof (see next subsection). 

In most known BC, B is supposed polynomially bounded. Usually A knows 
a secret solution to a difficult problem that uses to commit to a secret bit sa- A 
general scheme for BC based on the Cut-and-Choose technique is next proposed: 

General BC 

1. Set-up. A ^ B a partition of an input problem instance {Pq, Pi}. 

2. Commitment. A^ B the witness h{sA,rA) obtained through a trapdoor 
function /i on a random element va G PsA^ where sa = b E {0, 1}. 

3. Opening. A ^ B the secret sa = b. 

4. Verification. B checks the received information. 

The binding property is satisfied by General BC because if A modifies the 
commitment, then the fraud is detected by B in the verification step. On the 
other hand, the hiding property is guaranteed through the one-way transforma- 
tion used in commitment step. 
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As we may deduce from both proposed general schemes, there are many 
coincidences between General OT and General BC. However, in this latter case, 
i3's role is passive because he is limited to check the received information in the 
last verification step. Consequently, BC may be considered a non interactive 
protocol since all the communications are one-way from A to B. 

Again wc propose a new algorithm for BC based on graphs. In this case, the 
committed secret is an isomorphism between two graphs G and H . 

Graph-Based BG 

1. Set-up. A ^ B two non isomorphic graphs G and H. 

2. Commitment. A — > i? an isomorphic copy of 

(a) G, if 6 = 

(b) iJ, if fe = 1. 

3. Opening. A ^ B the secret isomorphism. 

4. Verification. B obtains b and checks the received isomorphism. 
This proposal fulfills both binding and hiding properties. 

5.1 Application of BC: Zero-Knowledge Proof 

The most important application of BC is on the design of two-party crypto- 
graphic protocols known as Zero-Knowledge Proofs. A Zero-Knowledge Proof 
(ZKP) is an interactive two-party cryptographic protocol that allows an in- 
finitely powerful prover A to convince a probabilistic polynomial time verifier 
B about the knowledge of some secret information without revealing anything 
about it [19]. According to the previous definition, ZKP has two possible re- 
sults: to accept or to reject the proof. The secret information could be a proof 
of a theorem, a factorization of a large integer, a password or anything veri- 
fiable, that is to say, such that there is an efficient procedure for checking its 
validity. ZKP has proven to be very useful both in Complexity Theory and in 
Cryptography. In this latter subject it has played a major role in the design of 
strong identification schemes [16]. 

The functional definition of ZKP is as follows: 

.fB{{sA,rA),rB) = ii B accepts the proof, 

(and otherwise /B((s^,r^),rB) = 1). 

Three characteristic properties of ZKP are completeness (if the claim is valid, 
then A convinces B of it with very high probability), soundness (if the claim 
is not valid, then B is convinced of the contrary with very small probability) , 
and zero-knowledge {B does not receive any other information except for the 
certainty that the claim is valid) . This latter property may be checked through 
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the demonstration that the prover A can be replaced by an efficient (expected 
polynomial time) simulator, which generates an interaction indistinguishable 
from the real one. This property is usually proved through a constructive spec- 
ification of the way the simulator proceeds. The main difficulty of this proof is 
to achieve that the simulator convince the verifier about the knowledge of the 
secret information without actually having it. This problem is usually solved 
thanks to the rewinding capability of the simulator, which may use several tries 
to answer the verifier without letting him know how many tries the simulator 
has used. 

Two variants of zero-knowledge may be distinguished depending on the as- 
sumed computing power of possible dishonest parties. Computational zero- 
knowledge arises when it would take more than polynomial time for a dis- 
honest verifier to obtain some information about the secret, whereas perfect 
zero-knowledge involves that even an infinitely powerful cheating verifier could 
not extract any information. Both previous notions can also be characterized 
through the amount of computational resources necessary to distinguish be- 
tween the interaction generated by the simulator and the verifier, and the one 
associated to the prover and the verifier. The existence of computational zero- 
knowledge has been proven for any iVP-problem under the assumption that a 
one-way function exists [18], so it is natural that most known ZKP are compu- 
tational ZKP. On the other hand, a demonstration that the existence of perfect 
zero-knowledge for an NP— complete problem would cause the Polynomial Time 
Hierarchy to collapse has been given [17]. These two important results imply 
that any time a message is sent, it may be accompanied with a computational 
ZKP of that the message is correct, which is applicable in general to protect 
distributed secure computation against malicious parties. 

In the following ZKP based on the QRP, [16] the existence of a TTP is 
assumed. The only purpose of such a TTP is to publish a modulo N that is 
the product of two secret primes p and q. Again, computations are performed 
in Zj^The secret information chosen by A consists of an integer s such that it 
is relatively prime with TV and such that < s < TV. 

QRP-Based ZKP 

1. A ^^ B &n integer v = s^ [mod N). 

2. The following steps are independently iterated m times: 

{a) A ^ B an integer a = x^ {mod N), where x is any secret integer 
such that < a; < iV. 

(b) B ^ A a random bit tb- 

(c) A ^ B the integer y = xs^'^ {mod N). 

(d) B checks that y y^ and y^ = aw''^ {mod N). 



19 



If A knows s, and both A and B follow the protocol properly, then the 
response y = xs*"^ (mod N) is a square root of av^^ , and consequently the 
verification condition of the last step holds because y^ = x^ = av^ [mod N) 
and y^ = x^s^ = av^ {mod N). Note that B gets no information about A's 
secret and in fact, B could play both the roles of A and B. Consequently, the 
zero-knowledge property is satisfied. 

BC, interactive challenge-response, and cut-and-choose techniques are ba- 
sic ingredients of ZKP. In general, A 'cuts' her secret solution in several parts, 
commits to thcni, and afterwards B chooses at random one of those parts as 
a challenge. Some of A's possible responses prove ^'s knowledge of the secret 
solution, whereas the others guarantee against A's possible fraud. Also typi- 
cally, ZKP consists of several iterations of an atomic subroutine. By repeating 
it an enough number of times, the verifier's confidence in the prover's honesty 
increases. Thus, the number m of iterations should be agreed by A and B ac- 
cording to their different interests. By using all previously mentioned ideas, the 
following general scheme is proposed in order to describe most known schemes. 

General ZKP 

1. Set-up. A ^ B a partition of an input problem instance {Pq, Pi}. 

2. Iterations. The following steps are independently iterated to times: 

(a) Commitment. A ^ B a, witness associated to a solution of a random 
instance ta, obtained through a one-way function ft,, /i(r^). 

(b) Challenge. B ^ A a random bit rs- 

(c) Response. A ^ B the solution to the problem Pj,j G {0, 1}, defined 
from both random choices r^ and tb, and A's secret sa, Sol{rA, rs, sa) 

(d) Verification. B checks the received information. 

In a ZKP defined according to this general scheme, correctness is guaran- 
teed through completeness and soundness properties. Completeness guarantees 
correct execution of the protocol when parties act correctly, whereas soundness 
protects B against a dishonest party A who does not know the secret. On the 
other hand, privacy is reached through zero-knowledge, because this property 
assures that B does not receive any information on the secret thanks to his 
participation in the protocol. 

The new ZKP described below is based on the primitive of BC. In the first 
step of each iteration A commits to her secret information, which is a solution 
to a difficult problem in a graph G. In the verification phase B checks that the 
commitment has not been broken. The resulting proposal is a general method 
that can be adapted to be used with different graph problems [8]. 
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Graph-Based ZKP 

1. Set-up. A ^ B a graph G, which is used as her pubUc identification 

2. Iterations. The foUowing steps are independently iterated m times: 

(a) Commitnient. A — > _B an isomorphic copy G" of the original graph 
G where she knows a solution to a difficult problem. 

(b) Challenge. B ^ A a random bit rs- 

(c) Response. A ^ B one of the two messages: 

i) the isomorphism between both graphs G and G', if r^ =0. 
ii) the solution in the isomorphic graph G', if rg = 1. 

(d) Verification. B checks: 

i) the received isomorphism, if rs = 0. 

ii) that the received information verifies the properties of a solution 

in the isomorphic graph G', if r^ = 1. 

The security of this algorithm is based on the difficulty of the used graph 
problem and on the choice of both the graph G and the secret solution. It is also 
only applicable when the computational capacity of the verifier is polynomial. 

6 Conclusions 

One of the main objectives of this work has been to provide a short survey 
of the two most important primitives in two-party cryptographic protocols de- 
sign. Such a review has shown that finite fields play a crucial role in the design 
of well-known cryptographic protocols. On the other hand, formal characteri- 
zations of definitions, general schemes for such primitives, and descriptions of 
new algorithms based on Discrete Mathematics have also been given within this 
paper. 

This work has emphasized several aspects regarding typical cryptographic 
protocol design such as the existing relationship among different primitives, 
the important function played by certain cryptographic primitives as building 
blocks of more complex protocols, the presence of common schemes in various 
algorithms, and the use of typical ingredients such as interaction, randomness, 
and complexity assumptions in the definition of most algorithms. 
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